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Although one-time pad encrypted files can be sent through Internet channels, the need for re- 
newing shared secret keys have made this method unpractical. This work presents a scheme to 
turn practical the fast sharing of random keys over arbitrary Internet channels. Starting with a 
shared secret key sequence of length Kq the users end up with a secure new sequence K S> Kq. 
Using these sequences for posteriori message encryption the legitimate users have absolute security 
control without the need for third parties. Additionally, the security level does not depend on the 
unproven difficulty of factoring numbers in primes. In the proposed scheme a fast optical random 
source generates random bits and noise for key renewals. The transmitted signals are recorded sig- 
nals that carries both the random binary signals to be exchanged and physical noise that cannot 
be eliminated by the attacker. These signals allow amplification over the Internet network with- 
out degrading security. The proposed system is also secure against a-posteriori known-plaintext 
attack on the key. Information-theoretic analysis is presented and bounds for secure operation are 
quantitatively determined. 
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INTRODUCTION 

Unconditionally secure one-time pad encryption has 
not find wide applicability in modern communications. 
The difficult for users to share long streams of secret 
keys beforehand has been an unsurmountable barrier pre- 
venting widespread use of one-time pad systems. Even 
beginning with a start sequence of shared secret keys, 
no practical amplification method to obtain new key se- 
quences or key "refreshing" is available. This work pro- 
poses a solution for this problem where transmitted ran- 
dom bit sequences are protected physical noise. Secure 
operational bounds are imposed by the noise level used 
and a controlled number of bits transmitted. Posterior 
data encryption is done by X-oi bit-by-bit the shared 
random bits with the message bits as in one-time pad 
encryption. 

The method involves binary random sequences physi- 
cally created (key sequence) X = xi^X2t.- to be trans- 
mitted between the legitimate users A to B, and physical 
noise sequences n = ni,n2, ... that are not controlled or 
reducible by any means and will be physically superposed 
onX. A and B share a starting secret key Kq. Also essen- 
tial for the method is the use of physical non- orthogonal 
bases specified by shared keys K to encode the message 
bits X, before the deterministic "recording" of the noisy 
signals described by Y. The transmitted signals are open 
to the attacker but improving signal resolution is impos- 
sible over the deterministic patterns. This simplifies the 
security considerations, distinctly from cases where the 
attacker have access to physical signals in the channel and 
may constantly improve its technology for signal resolu- 
tion by performing homodyne, heterodyne and any other 
measurement. 

It will be assumed that (statistical) physical noise n 
can be added to a message bit sequence X according to 



some rule fj {xj,nj) giving Y = /i (xi , rii ) , /2 (x2 , ^2 ) , ■ ■ • 
(Whenever only binary physical signals are implied, use 
of fj{xj,nj) will represent fj = ® (=addition mod2)). 
When analog physical signals are made discrete by 
analog-to-digital converters, a sum of a binary signal 
onto a discrete set will be assumed or other convenient 
rounding of the signal, fj describe operations on non- 
orthogonal bases specified by shared keys K as will be 
explained. The addition process is performed at the emit- 
ter station and Y becomes a binary file carrying random 
bits and the recorded noise. Y is sent from user A to 
user B (or from B to A) through an insecure channel and 
can be tapped with perfection (any copy will be identi- 
cal to each other) by the attacker. The amount of noise 
is assumed high and such that without any knowledge 
beyond Y, neither B (or A) or an attacker E could ex- 
tract the sequence X with a probability P better than 
P ~ (1/2)^, where N is the number of bits transmitted. 
The conditional entropy for these randomized signals sat- 
isfy 

i?(Y|Ko,X)^0, (1) 

that guarantees that even knowing the message X and 
the key Kq, the transmitted sequence Y is not unique. 
This emphasizes the uncontrollable character of the phys- 
ical noise present at each signal generation. 

Assuming that A and B share some knowledge before- 
hand (the key Kq or K), the amount of information be- 
tween A (or B) and E differs. This information asymme- 
try can be expressed by 

i/AB(X|Y,K)(« 0) « i/B(X|Y)(« H{X)) . (2) 

The mutual information reflects that E has much less 
information on H(X.) than A and B: 

/Ai3(X;Y,K) = i/(X)-i/AB(X|Y,K)«i?(X),(3) 



2 



j£(X;Y) = H{X)^He{X\Y)^0. (4) 

This asymmetry will be used by A and B to share 
secure information over the Internet. It will be shown 
that if A and B start sharing a secret key sequence Kg 
they end up with a secure new key sequence K » Kq. 
Within bounds to be demonstrated, this makes bit-by-bit 
encryption (as a one-time pad) practical for fast Internet 
communications (data, image or sound). It should be 
emphasized that being secure does not imply that Kq 
can be open to the attacker after transmission. All keys, 
Ko and K, have to be kept secret as long as messages 
have to be protected, as in one-time pad communication. 

The system gives users A and B direct control to guar- 
antee secure communication without use of third parties 
or certificates. Some may think of the method as an extra 
protective layer to current Internet encryption protocols 
and it may be used as such. In fact, the system oper- 
ates on top of all IP layers and does not disturb current 
protocols in use by Internet providers, including security 
ones. Anyway, it should be emphasized that the proposed 
method relies on security created by physical noise. This 
way, its security level does not depend on advances in 
algorithms or computation. Also, the proposed proto- 
col does not need to be modified to follow improvements 
in communication's technology. Moreover, it works as a 
stand-alone system. 

Random events of physical origin cannot be determin- 
istically predicted and sometimes are classified in classi- 
cal or quantum events (See examples of differences be- 
tween quantum and classical random walks in i). The 
point of view adopted here is that a recorded classical 
random event is just the record of a single realization 
among all the possible quantum trajectories possible 
All of these distinct classifications are not relevant to the 
practical aspects to be discussed here. However, what 
should be emphasized is that physical noise is completely 
different from pseudo noise generated in a determinis- 
tic process (e.g. hardware stream ciphers) where despite 
any complexity introduced, the deterministic generation 
mechanism can be searched, eventually discovered and 
used by the attacker. 

SIGNAL ENCODING 

Before introducing the communication protocol to be 
used, one should discuss the superposition of physical sig- 
nals to deterministic binary signals. Any signal transmit- 
ted over Internet is physically prepared to be compatible 
with the channel being used. This way, e.g., voltage lev- 
els Vq and Vi in a computer may represent bits. These 
values may be understood as the simple encoding 



Technical noise, e.g. electrical noise, in bit levels Vq 
and Vi are assumed low. Also, channel noise are as- 
sumed with a modest level. Errors caused by these noises 
are assumed to be possibly corrected by classical error- 
correction codes. Anyway, the end user is supposed to 
receive the bit sequence X (prepared by a sequence of Vq 
and Vi) as determined by the sender. 

If one of these deterministic binary signals Xj is re- 
peated over the channel, e.g. xi = x and X2 — x, 
one has the known property Xi (B X2 — 0. This prop- 
erty has to be compared to cases where a non-negligible 
amount of physical noise rij (in analog or a discrete 
form) has been added to each emission. Writing yi — 
/i(a:i,ni) = fi{x,ni) and 2/2 = f2{x2,n2) = 72(2^, "2) 
one has f{yi, 2/2) — neither or 1 in general. This funda- 
mental difference from the former case where xi(Bx2 = 
emphasizes the uncontrollable effect of the noise. 

The encoding shown above allows binary values 
Vq and Vi to represent bits and 1, respectively. These 
values are assumed to be determined without ambiguity. 
Instead of this unique encoding consider that two distinct 
encodings can be used to represent bits and 1: Either 
^(0) over which Xq"'' and a;^"'' represent the two bits 
and 1 respectively, or V^^\ over which a;^^^ = Xg"^ +e and 
Xq^-* — xJ*'-' 4- e (e ^ 1) represent the two bits 1 or (in 
a different order from the former assignment). These en- 
codings represent physical signals as, for example, phase 
signals. 

Assume noiseless transmission signals but where noise 
Uj has been introduced or added to each j"' bit sent 
(This is equivalent to noiseless signals in a noisy channel). 
Consider that the user does not know which encoding 
y(o) or was used. With a noise level Uj superposed 

to signals in or V^^'^ and if I^q"^ — Xq^'I Uj e, 
one cannot distinguish between signals and 1 in T^'"' 
and = 1/(0) -I- e but one knows easily that a signal 
belongs either to the set "0 in y^o) or 1 in or to 

the set "1 in y(°) or in V^^^". Also note that once the 
encoding used is known, there is no difficulty to identify 
between Xj and Xj+e. In this case, it is straightforward to 
determine a bit or 1 because values in a single encoding 
are widely separated and, therefore, distinguishable. One 
may say that without information on the encoding used, 
the bit values cannot be determined. 

Physical noise processes will be detailed ahead but this 
indistinguishability of the signals without basis informa- 
tion is the clue for A and B to share random bits over 
the Internet in a secure way. 

Encryption methods with randomized ciphers have 
been proven to be secure, e.g., when the attacker's mem- 
ory is limited . More recently, physical noise has been 
used both in free propagation and fiber-optics based sys- 
tems using M-ry levels [1] for data encryption {arj sys- 
tems) and have been analyzed ever since. See a recent 
discussion in Q. The system proposed here is distinct 
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from those arj systems but the idea of covering informa- 
tion with physical noise underhes both logical structures. 
The proposed system is closer related to to the key distri- 
bution system presented in 0] but differs from it by the 
use of a deterministic channel to carry noisy-recorded iii- 
formation (Some other aspects have been shown in 
and [§|) and the use of just two encryption bases [iC 
Use of the (ideally) deterministic channel -or high in- 
tensity channels- makes this system slower than the arj 
systems [5] or due to the recording stage but avoids 
amplification problems related to those systems. 



DISTRIBUTION PROTOCOL 

A brief description of protocol steps will be made, be- 
fore a theoretic-security analysis that includes the sys- 
tem's limitations is presented. Assume that shared se- 
quence Ko gives encoding information, that is to say, 
which encoding (T^^^^ or V^^"^) is being used at the j"* 
emission. Assume that Kq = kf'\k^\ ... has length Kq 
and that the user A has a physical random generator 
PhRG able to generate random bits and noise in contin- 
uous levels. A generates a binary random sequence Ki — 
k[^\k^\ ...k]^^^ (say, binary voltage levels) and a se- 
quence of Kq noisy-signals n (e.g., voltage levels in a con- 
tinuum). The deterministic sequence (carrying recorded 



noise) Yi = kf'^ ® /i(fcf \ n^), © /2(fef \ - is 
then sent to B. First, one has to see if B is able to extract 
the fresh sequence Ki from Yi: B apphes / (Yi, Kq) = 



(1) ^(1)^ 



/2(fcW,nW),.../^(fc)^^n)^0• As B knows 



(1) ^(1)^ 



the encoding used and the signals representing bits 
or 1 in a given encoding are easily identifiable. 



B obtains 
k'i\...fN{k 



(1) „(i) 

N ' "'N 



k^]^\ B then obtains the new ran- 
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dom sequence Ki generated by A. 

Is the attacker also able to extract the same sequence 
Ki? Actually, this was a one-time pad with Kq with 
added noise and, therefore, it is known that the attacker 
cannot obtain Ki . The security problem arises for further 
exchanges of random bits, e.g. if B wants to share further 
secret bits with A. 

Assume that B also has a physical random generator 
PhRG able to generate random bits and noise in con- 
tinuous levels (One could proceed with A being the sole 
one generating random signals but the problem is identi- 
cal). B wants to send in a secure way a freshly generated 
key sequence K2 = fcj^\ fcj^\ .../c^^ from his PhRG to 
A. B record the signals Y2 = fcj^^ ® /i(fcf \ 4^^), fcf ^ © 



/2(fc: 



(2) ^(2)^ 



and sends it to A. As A knows Ki he(or 



she) applies Y2 © Ki and extracts K2. A and B now 
share the two new sequences Ki and K2. For speeding 
communication, even a simple rounding process to the 
nearest encoding position would produce a simple binary 



output for the operation fj{kj,nj). The security of this 
process will be shown after a presentation of the complete 
distribution protocol. 

The simple description presented show a key distribu- 
tion from A to B and from B to A, with the net re- 
sult that A and B share the fresh sequences Ki and K2. 
These steps can be seen as a first distribution cycle. A 
could again send another fresh sequence K3 to B and so 
on. This repeated procedure provides A and B with se- 
quences Ki, K2, K3, K4, .... This is the basic and simple 
key distribution protocol for the system. 

A caveat should be made. Although the key sharing 
seems adequate to go without bounds, physical proper- 
ties impose some constraints and length limitations as 
discussed ahead. 



PHYSICAL ENCODING 

A and B use PhRGs to generate physical signals creat- 
ing the random bits that define the key sequences K and 
the continuous noise n necessary for the protocol. Being 
physical signals, precise variables have to discussed and 
the noise source well characterized. Analog-to-digital in- 
terfaces will transform the physical signals onto binary 
sequences adequate for Internet transmission protocols. 
Optical sources for the noise signals can be chosen for 
fast speeds. PhRGs have been discussed in the literature 
and even commercial ones are now starting to be avail- 
able. Increasing operational speeds are expected. With- 
out going into details one could divide the PhRG in two 
parts, one generating random binary signals and another 
providing noise in a continuous physical variable (e.g., 
phase of a light field). These two signals are detected, 
adequately formatted and can be added. 

Taking the phase of a light field as the physical vari- 
able of interest, one could assume laser light in a coherent 
state with average number of photons (n) within one co- 
herence time ((n) — |ap ^ 1) and phase 0. Phases cj) = 
could define the bit while </> = tt could define the bit 1. 

A concrete image of a possible phase encoding with 
non-orthogonal states is seen in Fig. [T] fc = defines 
encoding of and 1 as phase values and tt, respec- 
tively. These values are widely separated and easily dis- 
tinguishable. This ease distinguishability will be quanti- 
fied ahead. Distinctly, k = 1 defines encoding of and 
1 with phase values tt -1- A4> and + A0, respectively. 
These bits are also easily distinguishable in fc = 1. How- 
ever, the poor distinguishability between Os and Is in 
distinct bases fc = and fc = 1 is crucial for the proposed 
scheme; this will be quantitatively explained. A bit on 
this sector is encoded by one of the phases 
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(fc = 0,l) 



(6) 
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FIG. 1: Bit positions in a phase sector with two possible en- 
codings (physical bases) defined by A: = and k = 1. Dark 
circles indicate positions for a bit and open circles give po- 
sitions for a bit 1 on each encoding k. A(j) is the spacing 
between the two bases, is the standard phase deviation 
caused by phase fluctuations in a coherent light field, (n) is 
adjusted so that covers close phase values. Aff) should be 
kept < Tv/2. 



while a bit 1 is encoded by 



f'U- = TT -I- 



fcA0 -I- TT 



(ft = 0,1), (7) 



It can be shown f?\ (also shown ahead) that two 
non-orthogonal states with phases 0i and 02 {^4'i2 = 
101 — 02 1 ^ and (n) ^1) overlap with (un- normalized) 
probability 



Pn 



-(A0i2)V2'tJ 



(8) 



where cr^ = ^2/(n) is the standard deviation measure 
for the phase fluctuations A0. For distinguishable states, 
Pu (no overlap) and for maximum indistinguishabil- 
ity P« = 1 (complete overlap). With adequate formatting 
01 — 02 gives the spacing e (A0i2 = e) already introduced. 
Eq. ^ with A012 replaced by A0 describes the prob- 
ability for generic phase fluctuations A0 in a coherent 
state of constant amplitude \a\ — y/ (n) . 

The laser light intensity is adjusted by A (or B) such 
that CT0 » A0. This guarantees that the recorded infor- 
mation in the files to be sent over the open channel is 
in a condition such that the recorded light noise makes 
the two close levels 0i and 02 highly indistinguishable 
to the attacker. In order to avoid the legitimate user to 
confuse Os and Is in a single encoding, the light fluctu- 
ation should obey cr^ <ti n/2. These conditions can be 
summarized as 



> y/2/{n) > A0 



(9) 



This shows that this key distribution system depends fun- 
damentally on physical aspects for security and not just 
on mathematical complexity. 



The separation between bits in the same encoding is 
easily carried under condition tt/2 ^ ^y2/{n). The con- 
dition a/2/ (n) A0 implies that bits (in encoding 
k — 0) and 1 (in encoding k — I) (upper position in 
Fig. [T]) cannot be easily identifiable and the same hap- 
pens with sets of bit 1 (in encoding k — 0) and bit (in 
encoding k — 1) (lower position in Fig. [1]). However, for 
A, B and E, there are no difficulty to identify that a sent 
signal is encoded by fc = or fc = 1. One may there- 
fore assume that physical signals within the same encod- 
ing k have negligible overlap. The signal distinguishabil- 
ity could also be studied assuming non-negligible overlap 
between "upper" and "lower" states but results Q are 
similar under the desired conditions. 



Signal distinguishability 

The attacker does not know the encoding provided to 
A or B by their shared knowledge on the basis used. An 
answer to the question "What is the attacker's proba- 
bility of error in bit identification without repeating a 
sent signal?" depends on the properties of the physical 
signals being used. Under the assumption that "upper" 
positions and "lower" positions in Fig. [1] can be iden- 
tified with high precision both by the legitimate users 
as well as by the attacker, this question basically deals 
with distinguishability of the two close physical states in 
"upper" or "down" positions. 

Binary identification of two states has a general answer 
using information theory: The average probability of er- 
ror in identifying two states |V'o) and jV'i) is given by the 
Helstrom bound 



2 



l-v/l-|(V'o|^i)P 



(10) 



Here \tpo) and 1-01) are coherent states of light \lc 
with same amplitude but distinct phases 



-i<t>\ 



e 2 



(11) 



defined at the PhRG. |0o) define states in encoding fc = 0, 
where bits and 1 are given by 



for bit 0, and 
I — a), for bit 1 , 



(12) 



IV'i) define states in encoding fc = 1, where bits 1 and 
are given by 

|0r) = |""""^"^.A]lf'"^^* ^' (13) 
' ' \ \\a\e-<^+^)), for bit , ^ ' 

where |0fc=o — 0fe=i| = A0. |('0o|^/'i)P is calculated in a 
straightforward way and gives 



(14) 
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For (n) > 1 and Acf) < 1, 



(15) 



One should remind that in the proposed system the 
measuring procedure is defined by the users A and B and 
no physical attack can be launched by E can improve 
the deterministic signals that were already available to 
him(her). Thus, her knowledge on the signals cannot be 
increased by measurement techniques. 



INFORMATION LEAK AND LENGTH 
LIMITATION 

One should observe that each random bit defining the 
key sequence is once sent as a message by A (or B) and 
then resent as a key (encoding information) from B (or 
A) to A (or B). In a deterministic encryption this will 
lead straightforwardly to a breaking of the security. The 
noisy signals modify this situation dramatically: In both 
emissions, noise is superposed to the signals. In gen- 
eral, repetitions of coherent signal imply that a better 
resolution may be achieved that is proportional to the 
number of repetitions r. This improvement in resolu- 
tion is equivalent to a single measurement with a signal 
r X more intense. To take into account the single repeti- 
tion demanded by the protocol (n) is replaced by 2{n) in 
KV'olV'i)^- In other words, the protection level will then 
be considered for signal levels twice stronger than the one 
currently used. The final probability of error results 
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This error probability can be used to derive some of the 
proposed system's limitations. The attacker's probability 
of success Ps {= 1 — Pe) to obtain the basis used in a 
single emission may be used to compare with the a-priori 
starting entropy Hk of the encoding that carries one bit 
of the message to be sent (a random bit). If the attacker 
knows the encoding, the bit will also be known, with the 
same probability — > 1 as the legitimate user. 



fc.bit 



-pologpo ~Pi logpi = 1 
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where po and pi are the a-priori probabilities for each 
encoding k {po — pi = 1/2) given by the PhRG. The 
entropy defined by success events is Hs = — Ps log Ps- 
The entropy variation AH = Hf. i^;^ — Hs statistically 
obtained -or leaked from bit measurements- show the 
statistical information acquired by the attacker with re- 
spect to the a-priori starting entropy: 



fe.bit 



(18) 
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FIG. 2: AHk as a function of (n) and A^. 

Fig. [5] shows AHk for some values of (n) and A0. 
Value AHk = 1/2 is the limiting case where the two 
bases cannot be distinguished. AHk deviations from this 
limiting value of 1/2 indicates that some amount of in- 
formation on the basis used may potentially be leaking 
to the attacker. However, it is clear that the attacker 
cannot obtain bit-by-bit the encoding used. 

Length limitation 

In order to be possible to obtain statistically a good 
amount of information on a single encoding used, L bits 
have to be transmitted. L thus establishes the length 
limitation for bits exchanged starting from Kg. It will 
be defined by 



L X ( AHk - I 



1 



(19) 



Fig. [3] shows estimates for L for a range of values (n) and 
A(j) satisfying L x [AHk ~ 5) = 1 {^4' is given in powers 
of 2, indicating bit resolution for analog-to-digital con- 
verters). It should be emphasized that (n) is the meso- 
scopic average photon number in the PhRG while an op- 
tical signal in the transmission channel can be carried by 
very intense light-the deterministic signal. 

It is assumed that error correction codes can correct for 
technical errors in the transmission/reception steps for 
the legitimate users. The leak estimate given by Eq. (fT9|) 
do not imply that the information actually has leaked to 
the attacker. However, for security reasons, one takes for 
granted that this deviation indicate a statistical fraction 
of bits acquired by the attacker. A probability measure 
corresponds to condition p9|) : p{l) = 1/L = [AHk — 5)1 
expressing that one bit among L bits may have been sta- 
tistically compromised. 

Privacy amplification procedures can be applied to the 
shared bits in order to reduce this hypothetical infor- 
mation gained by the attacker to negligible levels 11 1. 
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FIG. 3: Estimates for the minimum length of bits L ex- 
changed between A and B that could give one bit of infor- 
mation about the bases used to the attacker. 

These procedures are beyond the purposes of the present 
discussion but one can easily accept that A and B may 
discard a similar fraction of bits to statistically reduce the 
amount of information potentially leaked. Reducing this 
fraction of bits after a succession of bits are exchanged 
between A and B implies, e.g., that the number of bits to 
be exchanged will decrease at every emission. Eventually, 
a new shared key Kq has to start the process again to 
make the system secure. Nevertheless, the starting key 
length Kq was boosted in a secure way. Without further 
procedures, the physical noise allowed K ^ IO'^Kq, a 
substantial improvement over the classical one-time pad 
factor of 1. One may still argue that the ultimate se- 
curity relies on Kg's because if Kg is known no secret 
will exist for the attacker. This is also true but does not 
invalidate the practical aspect of the system. Kq length 
can even be made sufficiently long to frustrate any brute- 
force attack at any stage of technology. Therefore, the 
combination of physical noise and complexity makes this 
noisy-one-time pad practical for Internet uses. 

FRUSTRATING A-POSTERIORI 
KNOWN-PLAINTEXT ATTACKS 

Known-plaintext attack 

Although the security of the process has been demon- 
strated, one should also point to a fragility of the system 
that has to be avoided when A and B are encrypting 
messages X between them. As it was shown, knowledge 
of one sequence of random bits lead to the knowledge 
of the following sequence for A and B. This makes the 
system vulnerable to know-plaintext attacks in the fol- 
lowing way: E has a perfect record of sequences Yi and 
Y2 and tries to recover any key sequence from them, 
K2, Ki or Kq. E will wait until A and B uses these 



sequences for encryption before trying to brake the sys- 
tem. A and B will encrypt a message using a new shared 
sequence, Ki or K2. This message could be a plaintext, 
say X — xi,X2t ■■■XKa known to the attacker. Encrypt- 
ing this message with say Ki in a noiseless way, gives 

Y = a:i ® k^i\x2 ® fcf \ ■■■XKo ® k^Kf,- Performing the 
operation Y X, E obtains Ki. The chain dependence 
of Kj on Kj_i allows E to find successive keys. Even 
addition of noise to the encrypted file does not eliminate 
this fragility, because the attacker can use his/her knowl- 
edge of X -as the key- to obtain K-as a message. The 
situation is symmetric between B or the attacker: one 
that knows the key (X for E, and K for B) obtains the 
desired message (K for E, and X for B). 

This kind of attack can be frustrated to the attacker 
with a simple strategy as explained ahead. In general, 
random generation processes are attractive to attackers. 
Even physical components (e.g. PhRG) are targets for 
attackers that may try to substitute a true random se- 
quence by pseudo-random bits generated by a seed key 
under his/her control. Electronic components can also 
be inserted to perform this task replacing the original 
generator; electric or electromagnetic signal may induce 
sequences for the attacker and so on. While these can be 
controlled by simple equipment surveillance, the known- 
plaintext attack is more subtle. A may not know, e.g., 
that some information to be transmitted to B is known 
to the attacker. 

Frustrating the known-plaintext attack 

This attack can be avoided by shuffiing (permutation 
operations) the random bit sequence being transmitted 
from A to B (or B to A) followed by a re-shuffling by B 
(or A). A particular shuffiing function could be chosen 
among members of a family of one-way functions by use 
of a short sequence of shared secret random bits. An even 
simpler way (or less costly) is to use the short sequence 
of bits to choose one among a list of pre-recorded permu- 
tations, what speeds the processing time. The shuffiing 
function used changes from block to block of sequences 
exchanged. This creates a non-invertible structure for 
the attacker. 

Although the number of bits Us necessary to select one 
among Kq\ permutations in Kq bits has a too high cost, a 
reduced number of permutations Kq ! / d within Kq ! can be 
chosen to provide the pre-recorded list and still provide 
a negligible chance for the attacker to obtain a particular 
choice among KQ\/d. With this reduced list, the number 
of bits nil necessary to assign a particular permutation is 
given by KQ\/d = 2"''. At the same time the probability 
Pd for the attacker to find this particular permutation 
choice is pd — l/{KQ\/d). 

The a-posteriori known-plaintext attack can then be 
frustrated by the shuffied sequence. The random bit se- 
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quence used in this process is also protected by the en- 
cryption method with the added noise. 



MESSAGE AUTHENTICATION 

Encryption performed by one user with the shared 
random bits can only be decrypted by the other legit- 
imate user and the message obtained can therefore be 
understood as "authentic" . However, it may happen that 
particular messages need explicit message authentication 
without the need to decrypt. Fortunately, this can be 
done with a modest use of shared secret random bits. 
For example, Ref. [3| describes a message authentica- 
tion code (MAC) where one key with k shared secret 
bits encode message blocks and generate a tag T. No 
decryption is needed, the receiver applies the shared key 
to the received data stream to generate the tag T'. Au- 
thenticity is given by T' = T . 

CONCLUSIONS 

As a conclusion, it has been shown that Internet users 
will succeed in generating and sharing, in a fast way, 
a large number of secret keys to be used in bit-by-bit 
encryption (one-time pad). They have to start from a 
shared secret sequence of random bits obtained from a 
physical random generator. The physical noise in the 
signals openly transmitted is set to hide the random 
bits sent. No intrusion detection method is necessary. 
Privacy amplification protocols eliminate any fraction of 
information that may have eventually obtained by the 
attacker. As the security is not only based on mathemat- 
ical complexities but depend on physical noise, scientific 
or technological advances will not harm this system. 
This is then very different from systems that would rely 
entirely, say, on the current lack of efficient algorithms 
to factor large numbers into their primes. The system is 
also secure against a posteriori known-plaintext attacks 
on the key. It was then shown that by sharing secure 
secret key sequences, a practical bit-by-bit encryption 
over the Internet can be implemented. 

*E-mail: GeraldoABarbosa@hotmail.com 
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